Geoff Crompton wrote: > Package: cvs > Version: 1:1.12.9-11 > Severity: important > > As reported at http://www.securityfocus.com/bid/13217 there are > "Unspecified Buffer Overflow And Memory Access Vulnerabilities". > Not too many details available at the moment. The above web page says: > > > CVS is prone to unspecified buffer overflow, memory access > > vulnerabilities, and a NULL pointer dereference denial of service. > > It is conjectured that the issues may be leveraged by a remote > > authenticated user to disclose regions of the CVS process memory, and > > to corrupt CVS process memory. The two issues combined may lead to a > > remote attacker reliably executing arbitrary code in the context of > > the vulnerable process, although this is not confirmed. > > This BID will be updated as soon as further information is made > > available. > > It also lists versions of cvs from 1.11.5 to 1.11.19 and 1.12.1 to > 1.12.11 as vulnerable. This may mean that woody (1.11.1) is clean. > Fedora, FreeBSD, Gentoo, and others have released advisories. I think > Gentoo have patches with their bug reports, but I'm not sure that > they've got all the patches, or what version they patch against.
This is fixed in unstable in cvs 1.12.9-13. -- see shy jo
signature.asc
Description: Digital signature
